Secretaries of State Find Federal Election Cyber Intelligence Elusive
With the upcoming midterm elections, it's a race to establish better information sharing between Homeland Security and state and local elections officials.
WASHINGTON — A number of secretaries of state expressed frustration this week with the limited cyber intelligence their offices are receiving from the Department of Homeland Security, five months after the agency finally notified 21 states they were targeted during the 2016 election.
With the 2018 midterm elections fast approaching, the secretaries pressed federal intelligence officials for scant new details Friday in classified briefings coinciding with their National Association of Secretaries of State winter conference in the nation's capital.
DHS wrote the secretaries in at the “secret” level, meaning the unauthorized disclosure of the information shared could be expected to cause serious damage to national security, but more than one attendee found the intel lacking.
“The biggest clash is I don’t think Homeland is used to having an environment that is so transparent. That’s really what we’re working on in terms of communication,” Washington Secretary of State Kim Wyman told Route Fifty in an interview. “The briefing was good to confirm what we already knew, but I didn’t really hear a lot of information that was new.”
When asked what President Trump was doing about Russian interference in the 2016 election at Tuesday’s White House press briefing, Press Secretary Sarah Huckabee Sanders touted DHS’s meeting with NASS officials.
“We have spent a lot of time working on cybersecurity, focusing on protecting the fairness on our elections,” she said, and the secretaries agree.
But New Hampshire Secretary of State Bill Gardner still had to ask DHS officials Saturday—only a day after the classified security briefings—how certain they were Russia was behind the only confirmed 2016 election breach of Illinois’ voter registration system.
West Virginia Secretary of State Mac Warner said DHS’s current “security apparatus” is “counterproductive” to the secretaries of state’s transparency efforts.
“Somebody behind closed doors has to tell the secretaries with security clearances what happened so we can defend against it,” Warner said. “Why things are classified has to be explained to us, and then we can keep our mouths shut. But really what happened yesterday, where we all signed our lives away or whatever and can’t talk about it, I think made it worse than what we had before.”
DHS continues to work on declassification, replied Bob Kolasky, deputy assistant secretary in the agency’s Office of Infrastructure Protection.
Kolasky wasn’t comfortable discussing state specifics in a public forum but defended DHS procedures as boosting community resilience in anticipation of a Russian threat that could be “different” or “worse” next time around. He characterized Russian activity in 2016 as “mostly exploratory” but with organization and purpose.
“Just because we saw something that wasn’t as serious as it seems the U.S. government has made it, there are reasons that we’re worried things could become more serious,” Kolasky said.
In its last month in office, the Obama administration designated all election infrastructure “critical,” a move that spawned the Election Infrastructure Government Coordinating Council. EIS-GCC includes federal, state and local government representatives working to improve threat information sharing protocols and resources for elections officials, and the Trump administration pointed to it Saturday as a sign vigilance has improved.
The GCC prioritized internal communications and external messaging in early February, but the council has yet to finalize communications protocols outside of an hour-long, biweekly call.
“The relationship between the secretaries and DHS and GCC is going about as well as an arranged marriage can go,” said Indiana Secretary of State Connie Lawson, who presides over NASS.
Sometimes one division of DHS “doesn’t know what the other one’s doing,” she said, though that’s improved of late.
Some states are currently participating in a GCC pilot for sharing election-specific threat indicators that, if successful, will be opened to any state interested.
DHS further plans to double the number of cybersecurity advisors, currently at 11, assisting regional advisors in helping states with security diagnostics and trainings and then double it again in 2019, said Sabra Horne, director of DHS Stakeholder Engagement for Cyber Infrastructure Resilience.
“You’re going to be seeing a lot tighter coordination out of DHS and the federal government,” said Christopher Krebs, DHS senior official with the National Protection and Programs Directorate.
Lack of communication trickles down to local elections officials, who are often unaware of free DHS and Multi-State Information Sharing and Analysis Center tools available to them like cyber-hygiene scanning, said Noah Praetz, Cook County, Illinois director of elections.
Lately DHS and state elections agencies have shifted to a “zero-trust security posture,” which assumes a hostile environment regardless of whether an elections system user is coming off the internet or from in-network, said Tom Ruff, Akamai Technologies vice president of public sector, in a phone interview.
The tech company’s software supports elections everywhere from San Diego County to the state of North Carolina, but nowhere is there a consistent approach to security—largely due to funding constraints. GCC, MS-ISAC and other independent initiatives have promise, Ruff said, and Akamai is gearing up to offer a no-cost data exfiltration prevention solution to states and counties to get them through the midterms.
In the long-term, secretaries are pushing to receive additional Help America Vote Act funds.
For its part, Washington's state government has ramped up penetration testing and intends to train state and local election officials heavily heading into the midterms later this year. Wyman said she feels good about the additional layers of security.
“Balancing how do we make sure the public is confident that we’re confident, that’s what I need to do,” Wyman said. “And we’re not going to give a lot of specifics because we don’t want the hackers to have any advantages more than they already do.”
NEXT STORY: Beware of W-2-Related Phishing Scams